Plugin/Theme Uploads: New capabilities; unify UIs; ensure compatibility with old filters.

Introduce upload_plugins and upload_themes capabilities to allow blocking of plugin and theme uploads, versus the old hacky (and not secure) ways of just hiding UI tabs. These are simply meta capabilities that map to install_plugins and install_themes. Also: * Use the same nice design for the plugin upload screen as the theme upload screen. * Better compatibility for the old install_themes_tabs filter added in [29002]. see #28578. * Ensure using the install_plugins_tabs filter to remove the upload tab removes the new button. * Use 'Add Plugins' instead of 'Install Plugins' to match 'Add Themes'. fixes #29236. git-svn-id: https://develop.svn.wordpress.org/trunk@29634 602fd350-edb4-49c9-b593-d223f7449a82
2014-08-27 01:31:05 +00:00 · 2014-08-27 01:31:05 +00:00 · 322991024f
parent 8ee417d4f4
commit 322991024f
7 changed files with 70 additions and 39 deletions
--- a/src/wp-admin/css/themes.css
+++ b/src/wp-admin/css/themes.css
@ -1091,7 +1091,8 @@ body.folded .theme-overlay .theme-wrap {
 .theme-install-php.show-upload-theme a.browse-themes {
 	display: inline;
 }
-.upload-theme {
+.upload-theme,
+.upload-plugin {
 	-webkit-box-sizing: border-box;
 	-moz-box-sizing: border-box;
 	box-sizing: border-box;
@ -1103,17 +1104,20 @@ body.folded .theme-overlay .theme-wrap {
 	position: relative;
 	top: 10px;
 }
-body.show-upload-theme .upload-theme {
+body.show-upload-theme .upload-theme,
+.upload-plugin {
 	display: block;
 }
-.upload-theme .wp-upload-form {
+.upload-theme .wp-upload-form,
+.upload-plugin .wp-upload-form {
 	background: #fafafa;
 	border: 1px solid #e5e5e5;
 	padding: 30px;
 	margin: 30px auto;
 	max-width: 380px;
 }
-.upload-theme .install-help {
+.upload-theme .install-help,
+.upload-plugin .install-help {
 	color: #999;
 	font-size: 18px;
 	font-style: normal;
--- a/src/wp-admin/includes/class-wp-plugin-install-list-table.php
+++ b/src/wp-admin/includes/class-wp-plugin-install-list-table.php
@ -69,8 +69,13 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 		if ( $tab === 'beta' || false !== strpos( $GLOBALS['wp_version'], '-' ) ) {
 			$tabs['beta']      = _x( 'Beta Testing', 'Plugin Installer' );
 		}
+		if ( current_user_can( 'upload_plugins' ) ) {
+			// No longer a real tab. Here for filter compatibility.
+			// Gets juggled into $nonmenu_tabs below.
+			$tabs['upload'] = __( 'Upload Plugin' );
+		}

-		$nonmenu_tabs = array( 'upload', 'plugin-information' ); //Valid actions to perform which do not have a Menu item.
+		$nonmenu_tabs = array( 'plugin-information' ); // Valid actions to perform which do not have a Menu item.

 		/**
 		 * Filter the tabs shown on the Plugin Install screen.
@ -91,6 +96,11 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 		 */
 		$nonmenu_tabs = apply_filters( 'install_plugins_nonmenu_tabs', $nonmenu_tabs );

+		if ( isset( $tabs['upload'] ) ) {
+			unset( $tabs['upload'] );
+			$nonmenu_tabs[] = 'upload';
+		}
+
 		// If a non-valid menu tab has been selected, And it's not a non-menu action.
 		if ( empty( $tab ) || ( !isset( $tabs[ $tab ] ) && !in_array( $tab, (array) $nonmenu_tabs ) ) )
 			$tab = key( $tabs );
--- a/src/wp-admin/includes/plugin-install.php
+++ b/src/wp-admin/includes/plugin-install.php
@ -195,7 +195,7 @@ function install_search_form( $type_selector = true ) {
 */
 function install_plugins_upload( $page = 1 ) {
 ?>
-	<h4><?php _e('Install a plugin in .zip format'); ?></h4>
+<div class="upload-plugin">
 	<p class="install-help"><?php _e('If you have a plugin in a .zip format, you may install it by uploading it here.'); ?></p>
 	<form method="post" enctype="multipart/form-data" class="wp-upload-form" action="<?php echo self_admin_url('update.php?action=upload-plugin'); ?>">
 		<?php wp_nonce_field( 'plugin-upload'); ?>
@ -203,6 +203,7 @@ function install_plugins_upload( $page = 1 ) {
 		<input type="file" id="pluginzip" name="pluginzip" />
 		<?php submit_button( __( 'Install Now' ), 'button', 'install-plugin-submit', false ); ?>
 	</form>
+</div>
 <?php
 }
 add_action('install_plugins_upload', 'install_plugins_upload', 10, 1);
--- a/src/wp-admin/plugin-install.php
+++ b/src/wp-admin/plugin-install.php
@ -26,7 +26,7 @@ $wp_list_table = _get_list_table('WP_Plugin_Install_List_Table');
 $pagenum = $wp_list_table->get_pagenum();
 $wp_list_table->prepare_items();

-$title = __('Install Plugins');
+$title = __( 'Add Plugins' );
 $parent_file = 'plugins.php';

 wp_enqueue_script( 'plugin-install' );
@ -75,16 +75,26 @@ include(ABSPATH . 'wp-admin/admin-header.php');
 <div class="wrap">
 <h2>
 	<?php
-		echo esc_html( $title );
-		$href = self_admin_url( 'plugin-install.php?tab=upload' );
+	echo esc_html( $title );
+	if ( ! empty( $tabs['upload'] ) && current_user_can( 'upload_plugins' ) ) {
+		if ( $tab === 'upload' ) {
+			$href = self_admin_url( 'plugin-install.php' );
+			$text = _x( 'Browse', 'plugins' );
+		} else {
+			$href = self_admin_url( 'plugin-install.php?tab=upload' );
+			$text = __( 'Upload Plugin' );
+		}
+		echo ' <a href="' . $href . '" class="upload add-new-h2">' . $text . '</a>';
+	}
 	?>
-	<a href="<?php echo $href; ?>" class="upload add-new-h2"><?php _e( 'Upload Plugin' ); ?></a>
 </h2>

-<?php $wp_list_table->views(); ?>
-
-<br class="clear" />
 <?php
+if ( $tab !== 'upload' ) {
+	$wp_list_table->views();
+	echo '<br class="clear" />';
+}
+
 /**
 * Fires after the plugins list table in each tab of the Install Plugins screen.
 *
--- a/src/wp-admin/theme-install.php
+++ b/src/wp-admin/theme-install.php
@ -27,11 +27,6 @@ if ( ! is_network_admin() ) {
 	$submenu_file = 'themes.php';
 }

-$tabs = array(
-	'upload'        => __( 'Upload Theme' ),
-	'browse-themes' => _x( 'Browse', 'themes' ),
-);
-
 $sections = array(
 	'featured' => __( 'Featured Themes' ),
 	'popular'  => __( 'Popular Themes' ),
@ -113,22 +108,24 @@ include(ABSPATH . 'wp-admin/admin-header.php');

 ?>
 <div class="wrap">
-	<h2>
-		<?php echo esc_html( $title ); ?>
-		<?php
-		/**
-		 * Filter the tabs shown on the Install Themes screen.
-		 * 
-		 * @since 2.8.0
-		 * @param array $tabs The tabs shown on the Install Themes screen. Defaults are
-		 *                    'upload' and 'browse-themes'.
-		 */
-		$tabs = apply_filters( 'install_themes_tabs', $tabs );
-		foreach ( $tabs as $tab_slug => $tab_name ) {
-			echo '<a href="#" class="' . esc_attr( $tab_slug ) . ' add-new-h2">' . $tab_name . '</a>';
-		}
-		?>
-	</h2>
+	<h2><?php
+	echo esc_html( $title );
+
+	/**
+	 * Filter the tabs shown on the Add Themes screen.
+	 *
+	 * This filter is for backwards compatibility only,
+	 * for the suppression of the upload tab.
+	 *
+	 * @since 2.8.0
+	 * @param array $tabs The tabs shown on the Add Themes screen. Default is 'upload'.
+	 */
+	$tabs = apply_filters( 'install_themes_tabs', array( 'upload' => __( 'Upload Theme' ) ) );
+	if ( ! empty( $tabs['upload'] ) && current_user_can( 'upload_themes' ) ) {
+		echo ' <a href="#" class="upload add-new-h2">' . __( 'Upload Theme' ) . '</a>';
+		echo ' <a href="#" class="browse-themes add-new-h2">' . _x( 'Browse', 'themes' ) . '</a>';
+	}
+	?></h2>

 	<div class="upload-theme">
 	<?php install_themes_upload(); ?>
--- a/src/wp-admin/update.php
+++ b/src/wp-admin/update.php
@ -123,8 +123,9 @@ if ( isset($_GET['action']) ) {

 	} elseif ( 'upload-plugin' == $action ) {

-		if ( ! current_user_can('install_plugins') )
+		if ( ! current_user_can( 'upload_plugins' ) ) {
 			wp_die( __( 'You do not have sufficient permissions to install plugins on this site.' ) );
+		}

 		check_admin_referer('plugin-upload');

@ -227,8 +228,9 @@ if ( isset($_GET['action']) ) {

 	} elseif ( 'upload-theme' == $action ) {

-		if ( ! current_user_can('install_themes') )
+		if ( ! current_user_can( 'upload_themes' ) ) {
 			wp_die( __( 'You do not have sufficient permissions to install themes on this site.' ) );
+		}

 		check_admin_referer('theme-upload');

--- a/src/wp-includes/capabilities.php
+++ b/src/wp-includes/capabilities.php
@ -1262,18 +1262,25 @@ function map_meta_cap( $cap, $user_id ) {
 	case 'update_plugins':
 	case 'delete_plugins':
 	case 'install_plugins':
+	case 'upload_plugins':
 	case 'update_themes':
 	case 'delete_themes':
 	case 'install_themes':
+	case 'upload_themes':
 	case 'update_core':
 		// Disallow anything that creates, deletes, or updates core, plugin, or theme files.
 		// Files in uploads are excepted.
-		if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS )
+		if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS ) {
 			$caps[] = 'do_not_allow';
-		elseif ( is_multisite() && ! is_super_admin( $user_id ) )
+		} elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
 			$caps[] = 'do_not_allow';
-		else
+		} elseif ( 'upload_themes' === $cap ) {
+			$caps[] = 'install_themes';
+		} elseif ( 'upload_plugins' === $cap ) {
+			$caps[] = 'install_plugins';
+		} else {
 			$caps[] = $cap;
+		}
 		break;
 	case 'activate_plugins':
 		$caps[] = $cap;